THE

SSLMap is a lightweight TLS/SSL cipher suite scanner. The tool was designed to meet the need of a simple but reliable way to detect weak ciphers suites enabled on SSL endpoints. SSLMap uses a custom SSL engine to avoid unnecessary limitations imposed by existing libraries, as a result it is capable of detecting uncommon cipher suites (e.g. GOST).

From the above output, you can tell that the server has several weak ciphers rated as EXPORT and LOW. In the ideal situation these ciphers should be removed from a production site. See the TLS and SSL Cipher Suites article on how to interpret the results.

If you would like to make your own decision on whether a particular cipher is weak or strong, you can repeat the scan with the --verbose flag enabled thus allowing you to see individual components of the cipher suite and how the rating was calculated. Below is a snippet of the above scan with the verbose flag enabled:

Fuzzing

As a special note on the --fuzz parameter, you may use it to both stress test as well as discover yet unknown cipher suites on a target system. Naturally as there are a few million possible values for the cipher suite parameter, the test may run for some time.

TLS/SSL protocols support a large number of cipher suites. A cipher suite is a collection of symmetric and asymmetric encryption algorithms used by hosts to establish a secure communication. Supported cipher suites can be classified based on encryption algorithm strength, key length, key exchange and authentication mechanisms. Some cipher suites offer better level of security than others (e.g. Several weak cipher suites were developed for export to comply with US export law). There are more than 200 known cipher suites. Read more.

OpenSSL is an open-source TLS/SSL toolkit implemented for a variety of platforms. In this article you will learn several openssl client and server commands useful in working with TLS/SSL protocol. Read more.